From 51792e126bddaabf572132f1e0d4ed9bfd324c58 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Sun, 14 Apr 2019 19:57:13 +0200 Subject: httpd: if remote IP is denied, send FORBIDDEN reply earlier While at it, fix sighup_handler to not clobber errno. function old new delta send_HTTP_FORBIDDEN_and_exit_if_denied_ip - 47 +47 sighup_handler 15 30 +15 handle_incoming_and_exit 2791 2763 -28 checkPermIP 48 - -48 ------------------------------------------------------------------------------ (add/remove: 1/1 grow/shrink: 1/1 up/down: 62/-76) Total: -14 bytes Signed-off-by: Denys Vlasenko --- networking/httpd.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/networking/httpd.c b/networking/httpd.c index b52526a78..f713f6929 100644 --- a/networking/httpd.c +++ b/networking/httpd.c @@ -95,9 +95,7 @@ * If -c is not set, an attempt will be made to open the default * root configuration file. If -c is set and the file is not found, the * server exits with an error. - * */ - /* TODO: use TCP_CORK, parse_config() */ //config:config HTTPD //config: bool "httpd (32 kb)" //config: default y @@ -246,6 +244,8 @@ //usage: "\n -e STRING HTML encode STRING" //usage: "\n -d STRING URL decode STRING" +/* TODO: use TCP_CORK, parse_config() */ + #include "libbb.h" #include "common_bufsiz.h" #if ENABLE_PAM @@ -1817,7 +1817,7 @@ static NOINLINE void send_file_and_exit(const char *url, int what) log_and_exit(); } -static int checkPermIP(void) +static void send_HTTP_FORBIDDEN_and_exit_if_denied_ip(void) { Htaccess_IP *cur; @@ -1837,10 +1837,13 @@ static int checkPermIP(void) ); #endif if ((rmt_ip & cur->mask) == cur->ip) - return (cur->allow_deny == 'A'); /* A -> 1 */ + if (cur->allow_deny == 'A') + return; + send_headers_and_exit(HTTP_FORBIDDEN); } - return !flg_deny_all; /* depends on whether we saw "D:*" */ + if (flg_deny_all) /* depends on whether we saw "D:*" */ + send_headers_and_exit(HTTP_FORBIDDEN); } #if ENABLE_FEATURE_HTTPD_BASIC_AUTH @@ -2090,7 +2093,6 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) #if ENABLE_FEATURE_HTTPD_BASIC_AUTH smallint authorized = -1; #endif - smallint ip_allowed; char http_major_version; #if ENABLE_FEATURE_HTTPD_PROXY char http_minor_version; @@ -2240,14 +2242,14 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) bb_error_msg("url:%s", urlcopy); tptr = urlcopy; - ip_allowed = checkPermIP(); - while (ip_allowed && (tptr = strchr(tptr + 1, '/')) != NULL) { + send_HTTP_FORBIDDEN_and_exit_if_denied_ip(); + while ((tptr = strchr(tptr + 1, '/')) != NULL) { /* have path1/path2 */ *tptr = '\0'; if (is_directory(urlcopy + 1, /*followlinks:*/ 1)) { /* may have subdir config */ parse_conf(urlcopy + 1, SUBDIR_PARSE); - ip_allowed = checkPermIP(); + send_HTTP_FORBIDDEN_and_exit_if_denied_ip(); } *tptr = '/'; } @@ -2380,7 +2382,7 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr) /* We are done reading headers, disable peer timeout */ alarm(0); - if (strcmp(bb_basename(urlcopy), HTTPD_CONF) == 0 || !ip_allowed) { + if (strcmp(bb_basename(urlcopy), HTTPD_CONF) == 0) { /* protect listing [/path]/httpd.conf or IP deny */ send_headers_and_exit(HTTP_FORBIDDEN); } @@ -2593,7 +2595,9 @@ static void mini_httpd_inetd(void) static void sighup_handler(int sig UNUSED_PARAM) { + int sv = errno; parse_conf(DEFAULT_PATH_HTTPD_CONF, SIGNALED_PARSE); + errno = sv; } enum { -- cgit v1.2.3